Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability has been found in Fujian Apex LiveBOS up to 2.0. Impacted is an unknown function of the file /feed/UploadImage.do of the component Endpoint. Such manipulation of the argument filename leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.1 is recommended to address this issue. Upgrading the affected component is advised.
AnalysisAI
Path traversal in Fujian Apex LiveBOS through the /feed/UploadImage.do endpoint allows remote attackers to manipulate the filename parameter and write files to arbitrary locations on the server. Versions up to 2.0 are affected. Public exploit code is available. Upgrading to version 2.1 resolves the vulnerability.
Technical ContextAI
The vulnerability exists in the UploadImage.do endpoint component, which handles file upload operations. The filename parameter passed to this endpoint is not properly validated or sanitized before use in file system operations, enabling classic path traversal attack patterns using directory traversal sequences (e.g., ../ or absolute paths). This maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a fundamental file system access control weakness where user-supplied input directly influences file write operations without adequate canonicalization or validation. The flaw allows an attacker to escape the intended upload directory and place files in sensitive locations.
RemediationAI
Immediately upgrade Fujian Apex LiveBOS to version 2.1 or later, which addresses the path traversal vulnerability in the UploadImage.do endpoint. For organizations unable to immediately upgrade, implement network-level access controls to restrict access to the /feed/UploadImage.do endpoint to trusted internal systems only, and disable the file upload feature if it is not actively required. Additionally, configure file system permissions on the server to prevent the LiveBOS application process from writing outside its designated upload directory, enforcing operating system-level restrictions as a compensating control. Monitor upload activity for suspicious filename patterns containing directory traversal sequences (../, ..\, or absolute paths) and log all file write operations for forensic review. Refer to vendor advisory channels for patch deployment timelines and verification steps.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26467